Skip to content
Snippets Groups Projects
Commit 842bf6b6 authored by David Matlack's avatar David Matlack Committed by Greg Kroah-Hartman
Browse files

KVM: RISC-V: Retry fault if vma_lookup() results become invalid 

commit 2ed90cb0 upstream.

Read mmu_invalidate_seq before dropping the mmap_lock so that KVM can
detect if the results of vma_lookup() (e.g. vma_shift) become stale
before it acquires kvm->mmu_lock. This fixes a theoretical bug where a
VMA could be changed by userspace after vma_lookup() and before KVM
reads the mmu_invalidate_seq, causing KVM to install page table entries
based on a (possibly) no-longer-valid vma_shift.

Re-order the MMU cache top-up to earlier in user_mem_abort() so that it
is not done after KVM has read mmu_invalidate_seq (i.e. so as to avoid
inducing spurious fault retries).

It's unlikely that any sane userspace currently modifies VMAs in such a
way as to trigger this race. And even with directed testing I was unable
to reproduce it. But a sufficiently motivated host userspace might be
able to exploit this race.

Note KVM/ARM had the same bug and was fixed in a separate, near
identical patch (see Link).

Link: https://lore.kernel.org/kvm/20230313235454.2964067-1-dmatlack@google.com/


Fixes: 9955371c ("RISC-V: KVM: Implement MMU notifiers")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDavid Matlack <dmatlack@google.com>
Tested-by: default avatarAnup Patel <anup@brainfault.org>
Signed-off-by: default avatarAnup Patel <anup@brainfault.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 35ca4fb4
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 16 additions and 9 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment